Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Solution to Postfix TLS invalid certificate problem.
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tyr
n00b
n00b


Joined: 14 May 2003
Posts: 8
Location: newswall.org.uk
PostPosted: Mon Apr 05, 2004 11:34 pm    Post subject: Solution to Postfix TLS invalid certificate problem. Reply with quote
Here's a solution to a problem I experienced when using Postfix with TLS. SMTP AUTH was working fine but attempts to use TLS with Opera and Mozilla were both being rejected. The clients were complaing of an invalid certificate.

The following errors were being logged by postfix:

Code:

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:before/accept initialization
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv2/v3 read client hello A
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client hello B
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:SSLv3 flush data
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A.
Apr  5 23:13:40 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A
Apr  5 23:13:40 [postfix/smtpd] SSL3 alert read:fatal:bad certificate
Apr  5 23:13:40 [postfix/smtpd] SSL_accept:failed in SSLv3 read client certificate A
Apr  5 23:13:40 [postfix/smtpd] SSL_accept error from host[x.x.x.x]: 0


This problem was fixed by generating my own certificates. I found a good guide for configuring certificates and TLS for Postfix at http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

Note: The guide above is for RedHat. The ssl cert tools for Gentoo can be found in /etc/ssl rather than /usr/share/ssl/

I'm running postfix-2.0.19 which is the most recent unmasked x86 build at the time of writing.

I hope this post is useful for anyone who runs across this problem.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1500
PostPosted: Thu May 20, 2004 2:09 pm    Post subject: Dead link.. need help Reply with quote
Bummer.. the link is dead. I'm running across this same problem. I generated my own certs.. but I'm thinking I have problems with them. Occasionally, Eudora users are receiving a invalid certificate.

thanks
hanj
Back to top
View user's profile Send private message
7dave7
n00b
n00b


Joined: 21 Sep 2003
Posts: 12
PostPosted: Sun May 23, 2004 12:15 am    Post subject: Reply with quote
Quote:
Bummer.. the link is dead. I'm running across this same problem.


Try this one:
http://mia.ece.uic.edu/~papers/volans/settingupCA.html
Back to top
View user's profile Send private message
MarkH
n00b
n00b


Joined: 11 Feb 2004
Posts: 25
PostPosted: Thu Oct 14, 2004 8:41 pm    Post subject: Re: Solution to Postfix TLS invalid certificate problem. Reply with quote
tyr wrote:
Here's a solution to a problem I experienced when using Postfix with TLS. SMTP AUTH was working fine but attempts to use TLS with Opera and Mozilla were both being rejected. The clients were complaing of an invalid certificate.

The following errors were being logged by postfix:

Code:

Apr  5 23:13:35 [postfix/smtpd] SSL_accept:before/accept initialization
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv2/v3 read client hello A
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client hello B
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:SSLv3 flush data
Apr  5 23:13:35 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A.
Apr  5 23:13:40 [postfix/smtpd] SSL_accept:error in SSLv3 read client certificate A
Apr  5 23:13:40 [postfix/smtpd] SSL3 alert read:fatal:bad certificate
Apr  5 23:13:40 [postfix/smtpd] SSL_accept:failed in SSLv3 read client certificate A
Apr  5 23:13:40 [postfix/smtpd] SSL_accept error from host[x.x.x.x]: 0


This problem was fixed by generating my own certificates. I found a good guide for configuring certificates and TLS for Postfix at http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_tls_support.html

Note: The guide above is for RedHat. The ssl cert tools for Gentoo can be found in /etc/ssl rather than /usr/share/ssl/
I'

Spot on for me too - thanks. (Good high spped overview of SSL also)
Back to top
View user's profile Send private message
dashnu
l33t
l33t


Joined: 21 Jul 2004
Posts: 703
Location: Casco Maine
PostPosted: Wed Jan 12, 2005 3:31 pm    Post subject: Reply with quote
I to am receiving ssl errors.

Code:
Jan 10 12:47:59 ox postfix/smtpd[5284]: starting TLS engine
Jan 10 12:47:59 ox postfix/smtpd[5284]: connect from unknown[192.168.1.248]
Jan 10 12:47:59 ox postfix/smtpd[5284]: setting up TLS connection from unknown[192.168.1.248]
Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:before/accept initialization
Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FA0] (11 bytes => -1 (0xFFFFFFFF))
Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:error in SSLv2/v3 read client hello A
Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FA0] (11 bytes => 11 (0xB))
Jan 10 12:47:59 ox postfix/smtpd[5284]: 0000 80 34 01 03 01 00 1b 00|00 00 10     .4...... ...
Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FAB] (43 bytes => -1 (0xFFFFFFFF))
Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:error in SSLv2/v3 read client hello B
Jan 10 12:47:59 ox postfix/smtpd[5284]: read from 080B3600 [080C2FAB] (43 bytes => 43 (0x2B))


And further down.. It accepts the connection..

Code:
Jan 10 12:47:59 ox postfix/smtpd[5284]: SSL_accept:SSLv3 flush data
Jan 10 12:47:59 ox postfix/smtpd[5284]: TLS connection established from unknown[192.168.1.248]: TLSv1 with cipher RC4-MD5 (128/128 bits)


Looks like my TLS connection is all fine and dandy but these errors are driving me nuts. I am using the default pre-installed postfix certs.

Now I have a few questions. I have went through you link and tried to creat my own ssl certs.

I get all the way to signing my cert and I throw an error.
Code:
root@ox misc #  ./CA_nodes -sign
Using configuration from /etc/ssl/openssl.cnf
27354:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=unique_subject
Enter pass phrase for ./demoCA/private/cakey.pem:



I am using openssl version 0.9.7d-r2

If I continue on with the process It seems to finish.

edit **
I do all the regular stuff telnet localhost 25 i see 250-STARTTLS
Than I try to connect via evolution and recive the same error in the logs


So no idea what is going on there.. And I also need to make certs for cyrus-imapd Its default certs do not work.. One way I test this is by going to https://mail.server.com:993 and I get an invalid cert error. How ever this does work with evolution and outlook.. Why I do not know . Entourage (M$ mac client) will not work.. and I think this stems from bad certs for imapd. I have a "virtual mail" server running fine from a while back were all certs are fine.. I can figure out what I am doing wrong.. Any help would kick some major arse!
_________________
write quit bang
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy